Track 3 platforms and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Stripe's global sub-processor and service provider list, disclosing the third-party companies and Stripe affiliates that may process personal data on Stripe's behalf when providing payment processing, fraud detection, infrastructure, analytics, and customer support services. The list identifies sub-processors including entities such as Amazon Web Services, Google Cloud, and others, specifying the country of establishment and the processing purpose for each. Businesses using Stripe as a payment processor and subject to GDPR or similar data protection laws are expected to review this list and, depending on their DPA terms, may have the right to object to new sub-processor additions.
This document is Stripe's publicly published list of Service Providers, Sub-Processors, and Affiliates, maintained pursuant to data protection obligations under frameworks including GDPR, which requires controllers and processors to disclose sub-processing arrangements. The document enumerates third-party entities and Stripe affiliates to which personal data may be transferred or made accessible in connection with Stripe's payment processing, fraud detection, infrastructure, analytics, customer support, and compliance services. The document identifies sub-processors by name, country of establishment, and processing purpose, consistent with standard GDPR Article 28 disclosure practice; however, the level of specificity regarding data categories transferred to each sub-processor varies, and the document does not enumerate retention periods or individual data subject rights mechanisms. This list engages GDPR and UK GDPR sub-processor disclosure obligations, SCCs and Data Transfer Addenda for cross-border transfers outside the EEA and UK, and equivalent transfer frameworks in other jurisdictions where Stripe operates; organizations subject to GDPR who use Stripe as a data processor are required under Article 28 to maintain awareness of and, in many cases, consent to sub-processor additions. Compliance teams at merchant organizations should evaluate whether their DPA with Stripe incorporates objection rights for new sub-processor additions and whether the listed cross-border transfers satisfy their own data transfer obligations.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Get ComplianceMonitoring
Stripe has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Get ComplianceCross-platform context
See how other platforms handle Cross-Border Data Transfers via Listed Sub-Processors and similar clauses.
Compare across platforms →Stripe's terms authorize fund reserves, payout withholding, and account termination. Here is what the agreement states and what business ow…
The Kickstarter-Stripe controversy reveals how payment processors, cloud providers, and AI platforms quietly shape downstream policy decisi…
Mastercard, Stripe, and Cloudflare are building payment infrastructure for autonomous AI agents. The governance layer is not keeping pace.
Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.